We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

CASL – regulatory guidance for computer program installation rules

Effective January 15, 2015, Canada’s anti-spam law (commonly known as “CASL”) will impose restrictions and requirements for the installation and use of computer programs on another person’s computer system. The rules apply to almost any computer program (not just malware/spyware/harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). CASL uses broad and ambiguous terminology (e.g. “install or cause to be installed”, “cause an electronic message to be sent” and “update or upgrade”). As a result, the rules are challenging to interpret and apply.

On November 10, 2014, the Canadian Radio-television and Telecommunications Commission (“CRTC”), which has regulatory authority for the enforcement of CASL’s rules regarding computer programs, published a guidance document entitled “CASL Requirements for Installing Computer Programs” (www.crtc.gc.ca/eng/info_sht/i2.htm). On November 11, 2014, the CRTC gave a presentation regarding the CASL rules. Following is a summary of key parts of the CRTC guidance document and presentation.

Self-Installed Software: The CRTC guidance document explains that the CASL rules do not apply when the owner or authorized user of a computer or device installs a computer program on the computer or device. The guidance document gives examples: (1) the owner of a mobile device accesses an online app store and downloads and installs an app on the device; (2) the owner of a computer buys software on a CD and installs the software on the computer; (3) the owner of a device downloads software from a website and installs it on the device; (4) a business installs software on business devices used by the business’s employees; and (5) the owner of a computer uses an offline process to install a computer program on the computer. During the presentation, the CRTC explained that the self-installation concept applies to the installation of a computer program on a computer or device only if the owner or authorized user of the computer or device intends to install the computer program on the computer or device and knows or reasonably ought to know about the computer program’s functionality.

Owner/Authorized User: The CRTC guidance document explains that the “owner” or “authorized user” of a computer or device includes any person who has permission to use the computer or device. The guidance document gives examples: if an employer provides a device to an employee, then the employer is the owner of the device and the employee is the authorized user of the device; (2) if an individual owns a computer but provides it to their child, spouse, or other relative for their sole use, then the child, spouse or other relative is the authorized user of the computer; (3) if a person leases a device, then the lessor is the owner of the device and the lessee is the authorized user of the device; and (4) if a device is sent out for repair, then the person conducting the repair is an authorized user of the device, but only to the extent that they perform the agreed-upon repairs to the device. During the presentation, the CRTC explained that the relevant time for determining a person’s status as the “owner” or “authorized user” of a device is when the computer software is installed on the device.

Cause to be installed: CASL’s rules apply when a person, in the course of a commercial activity, either “installs” or “causes to be installed” a computer program on another person’s computer system. The CRTC guidance document gives examples of when a computer program is “caused to be installed” - malicious or concealed software that is automatically installed without the user’s knowledge when the user attempts to install other software or inserts a music CD into their computer. During the presentation, the CRTC explained that the “causes to be installed” concept (rather than the self-installed concept) will apply if the owner or authorized user of a computer or device attempts to install a particular computer program but a different or additional computer program is installed, or if a computer program installed by the owner or authorized user of a computer or device has functionalities that are either concealed or could not be reasonably expected by the owner or authorized user.

Deemed Consent for Certain Programs: CASL provides that a person is considered to expressly consent to the installation of certain kinds of computer programs (e.g. a cookie or Javascript) if the person’s conduct is such that it is reasonable to believe that the person consents to the program’s installation. The CRTC guidance document explains that a person will not be considered to have consented to the installation of a cookie or Javascript if the person has disabled those items in the person’s browser software.

Additional Definitions: The CRTC guidance document provides definitions and examples of some important terms used in CASL - “cookie”, “operating system”, “telecommunications service provider”,“correct a failure”,“updates” and“upgrades”. The CRTC guidance document defines “cookie” as a non-executable computer program that cannot carry viruses and install malware. The CRTC guidance document explains that an “update” or “upgrade” makes changes to or replaces a previously installed computer program (e.g. a replacement of a computer program with a newer or better version, in order to bring the program up to date or to improve its characteristics). The CRTC guidance document explains that updated or refreshed data displayed by a computer program (e.g. refreshed weather forecast data in a weather app or refreshed television listings in a programming guide) are not updates or upgrades for the purposes of CASL.

Consent: The CRTC guidance document reminds that a person who seeks and obtains consent to the installation of a computer program has the burden of proving the consent, and therefore should keep a record of the consent.

Updates/Upgrades: The CRTC guidance document reminds that the CASL rules apply to the installation of updates or upgrades to computer programs, subject to limited exceptions. The CRTC guidance document explains that consent to install an update or upgrade on another person’s computer or device may be obtained in various ways, including when a person obtains consent for the installation of the original computer program. The CRTC guidance document cautions that in some circumstances CASL will require consent for the installation of updates or upgrades to a computer program on another person’s computer or device even if consent was not required for the installation of the original computer program (e.g. if the original computer program was self-installed by the owner or authorized user of the computer or device). During the presentation, the CRTC explained that consent is not required for the self-installation of an update or upgrade unless the update or upgrade has concealed or unexpected functionalities.

The CRTC’s guidance is helpful but limited. Numerous aspects of CASL’s software installation rules remain challenging to interpret and apply. The CRTC has indicated that it will continue to refine its interpretation and enforcement policy for CASL’s software installation rules, and will issue further guidance in the near future.